My server CPU had been pegging at 100%. When I looked at the running processes using Webmin, there are running processes with Asterisk as the user, and the process name is ./stealth followed by an IP address. When I look up the IP addresses using WHOIS, they originate from Amsterdam from the "RIPE Network Coordination Centre" (I'm based in the US).
I realize I need to upgrade my Trixbox to get the latest security updates, but what can I do in the short term to thwart this?
One addition... I already am disallowing certain IP's using my hosts file, but maybe these folks got in before I could do that.
I did find the stealth file in the directory /var/tmp/.,.
There are a number of files in that directory. Do you think I can just delete the entire directory? Thanks.
Thanks - good find!
Copyright © 2011 Fonality
Fonality and trixbox are trademarks of Fonality. Trademark Policy. Privacy Policy.
Asterisk is a trademark of Digium, Inc. Fonality and trixbox are not affiliated with, nor endorsed by Digium, Inc.
Member Since:
2007-01-15